An Android spyware family is using the DroidPlugin open-source sandbox to evade detection by anti-virus software installed on infected devices.

The offending trojan, which goes by the name Triada, has been targeting Android users since at least mid-2016. Like most other nefarious programs, this newly minted top mobile malware uses social engineering techniques to deceive people into installing it onto their devices. It then steals victims’ password information in the background.

Triada’s developers want their creation to infect as many users as possible. As such, they’ve outfitted their malware with a new trick.

In this new campaign, the trojan masquerades as Wandoujia, one of China’s most prominent Android app stores. Upon successful installation, Triada uses the DroidPlugin open-source sandbox to invoke malicious APK plugins it hides in its asset directory. It executes these plugins within DroidPlugin; as such, it doesn’t actually install them onto an infected phone.

These plugins are essential to Triada’s functionality. One plugin communicates with the malware’s command and control (C&C) server, for example. Another enables the program to conduct radio monitoring of the device.

Here’s a list of the spyware’s primary plugins:

android.adapi.camera

android.adapi.contact

android.adapi.file

android.adapi.location

android.adapi.online

android.adapi.radio

android.adapi.task

android.adapi.update

android.adapi.wifi

Triada isn’t the first Android malware that has used DroidPlugin and other plugin frameworks to carry out their dirty work. As Avast’s threat intelligence team explains in a blog post, it has a distinct advantage for doing so:

“Why the malware developer started to use the DroidPlugin sandbox to dynamically load and run the plugins is interesting, as the malicious plugins could just be directly implemented in one app, without a sandbox. Based on our experience, we suspect this is done to bypass antivirus detections. If the host app doesn’t include malicious actions, and all the malicious actions are moved to plugins which are dynamically downloaded, it makes it difficult for antivirus solutions to detect the host app.”

No doubt we will see other malware abuse plugin frameworks to discharge their malicious functions. Acknowledging these likely threats, Android users should protect themselves by installing apps only from Google’s Play Store. They should also maintain an updated security solution on their phones and keep their device up-to-date.

One Response

One thing that drives me crazy, is that all these infosec guys like to put there own name on certain malware families, instead of following the lead. Anyways, here are some more helpful links, that other researchers have done on this duel instance Droid Plug-in frameworks malware.

Smashing Security podcast

Online drug dealers get busted due to poor OPSEC! People are still failing to wipe their USB sticks properly! A potential presidential candidate is outed as a former hacker! Flat Earthers! Pi! Empathy!